Issue #3526769 by mcdruid, smustgrave: Avoid abuse of config sync import tarballs

        $archiver = new ArchiveTar($path, 'gz');

        $files = [];

        foreach ($archiver->listContent() as $file) {

          if (str_ends_with($file['filename'], '.yml')) {

            $files[] = $file['filename'];

          }

        }

        $archiver->extractList($files, $this->settings->get('config_sync_directory'), '', FALSE, FALSE);

        foreach ($files as $file) {

          $this->fileSystem->chmod($this->settings->get('config_sync_directory') . DIRECTORY_SEPARATOR . $file);

        }

        $this->messenger()->addStatus($this->t('Your configuration files were successfully uploaded and are ready for import.'));

        $form_state->setRedirect('config.sync');

      }

    $this->assertCount(1, $submit_is_disabled, 'The submit button is disabled.');

  }

  /**

   * Tests importing tarball with non-config contents.

   */

  public function testImportTarballFiltering(): void {

    $this->drupalGet('admin/config/development/configuration/full/import');

    $this->assertSession()->statusCodeEquals(200);

    $tarball = __DIR__ . '/../../fixtures/not_just_config.tar.gz';

    $edit = ['files[import_tarball]' => $tarball];

    $this->drupalGet('admin/config/development/configuration/full/import');

    $this->submitForm($edit, 'Upload');

    $sync_directory = Settings::get('config_sync_directory');

    $this->assertFileExists($sync_directory . DIRECTORY_SEPARATOR . 'config.one.yml');

    $this->assertFileExists($sync_directory . DIRECTORY_SEPARATOR . 'config.two.yml');

    $this->assertFileExists($sync_directory . DIRECTORY_SEPARATOR . 'executable.yml');

    $this->assertFalse(is_executable($sync_directory . DIRECTORY_SEPARATOR . 'executable.yml'));

    $this->assertFileDoesNotExist($sync_directory . DIRECTORY_SEPARATOR . 'script.sh');

    $this->assertFalse(is_executable($sync_directory . DIRECTORY_SEPARATOR . 'script.sh'));

  }

}